Risk Management & Regulatory Compliance, Change Management, Risk Management, Governance & Policy

4 minute read

Modern Banking Offerings Require a Modern ERM Framework to Balance Fintech Risk

Jun 30, 2022

Written by: Alison Reagan

 

“The secret of change is to focus all of your energy not on fighting the old, but on building the new.” - Socrates

 The great philosopher’s profound words of wisdom echo in our lives today. 

So many times, we find ourselves fighting to actually keep the old and make it work. Change can be hard, but it can also bring amazing opportunity and move your institution to the next level. Fintechs have brought this type of change to the banking industry. These visionaries develop products and services that take the customer experience to places we might not have even dreamed possible.

But with those innovative opportunities comes risk. And this change is coming fast: Nearly two-thirds of banks and credit unions already have at least one fintech partnership, with almost 40% of those who have yet to test those waters expected to take the dive this year.

We all have our enterprise risk management (ERM) frameworks in place; our regulators require it. That framework paints a picture that tells our risk story. We dust it off once in a while, most likely right before an exam. But if we’re truly using this as intended, this tool can help us in building the new, which fintechs represent. That begs the question: Does your risk framework recognize fintechs as a risk category?

Knowing the right risk tier for fintechs

We often find ourselves putting risks into silos within our assessment. However, for our risk story to truly identify the risk associated with fintechs, we must integrate these new organizations across the ERM platform. If you simply think you can put risk associated with fintech partnerships in its own bucket, you’re not truly understanding what risk is at stake if the relationship goes off the rails. Many organizations weigh risks by tier, and fintechs should be in the highest risk tier because these companies generally have access to your most proprietary customer data. You need to take the time to calculate the specific fintech risk and weigh it accordingly in your ERM.

In this same sense, banks often find they’ve put the cart before the horse by onboarding a fintech relationship before truly assessing the risk. It might be your board is gung-ho about what a fintech can offer and pushes for a speedy onboarding. To get that competitive edge, you’re cornered into signing off on the deal without conducting as exhaustive due diligence as you’d prefer. Go back when the dust settles, assess the risk you’ve brought on and adjust accordingly.  

To that point, timing is critical when you don’t have the time. Your ERM framework for fintechs needs to be in place before you start working with one. So, if you’ve found yourself in the above example, take that moment and learnings to develop a more efficient, streamlined way for future onboardings. There is no better time to start than now. As risk and compliance professionals, we often feel like all we do is put out fires. Wouldn’t it be great to have this one extinguished before it starts? Identifying potential risks before you engage with a fintech sets you up for a win before you sign up for the race.

Building an ERM framework for modern banking

So how do you develop a modern risk framework that balances the creativity of a new generation with the risk-aware structure of a legacy institution?

1. Understand your operating model.

Spinnaker’s own risk practice lead, Cara Williams, identified four key elements to incorporate into your risk management framework in her recent white paper, Turning a Solid Risk Management Framework into a Competitive Advantage. She references critical elements to consider as you start your risk management framework.

Within these elements is the operating model, which distinguishes the roles and responsibilities of every player. It is a deep dive into the expected contributions of each player in the overall risk management framework. Understanding how each player functions within the framework will assist in being nimble enough to act quickly when a change opportunity occurs.

2. Conduct your due diligence.

When you identify a fintech as a major player in your ERM program, the roles and responsibilities will be defined during the initial due diligence phase, and your institution will be primed to quickly move to adjust for any future change opportunities.

Another strong resource I have referenced in earlier articles is the Federal Reserve’s Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks. This guide provides a helpful roadmap of expectations for fintech relationships that you can be certain will be looked at during your next exam. Now, don’t dismiss this if you don’t fall under the community bank umbrella. This is an excellent resource to review when preparing or even expanding your ERM framework to incorporate fintechs.

Of particular interest with respect to your ERM, although the entire article applies in general, is the recommendation to review the fintech’s risk management and controls. Within this section the Federal Reserve points to consideration for policies and procedures applicable to the products and services they will be offering to your institution. This includes reviewing for responsibilities and reporting and how employees are expected to comply with policies and procedures.

3. Decide if a fintech partnership aligns with your risk appetite.

Going into business with a fintech can create exponential opportunities for revenue and risk. You have to decide which is worth more.

Once you’ve identified and reviewed the associated risk with partnership, take a critical moment to step back and assess whether or not the fintech aligns with your institution’s own risk appetite. Review the fintech’s policies and procedures to confirm if these sync with your institution’s policies and procedures, especially in areas where your organization has taken a hard stance for low risk tolerance.

Strong ERM frameworks start with leadership

In closing, I have one word for you to consider: leadership. As a risk manager, you must have buy-in from your board and top executives. You must understand their risk appetite, and you must keep this in mind as you build out the ERM framework, including how you integrate new fintech relationships. Your leaders set the tone for the rigor and efficacy of your ERM.

To quote Winston Churchill: “To improve is to change; to be perfect is to change often.”

Has your risk framework kept pace with the changing times? Spinnaker Consulting Group has the knowledge and experience to help in building or enhancing your ERM to reflect the greater roles that fintechs are playing in modern banking. In partnership with you, we go beyond the traditional considerations for ERM to meet today’s demands and help you rest easy – knowing you’re prepared for if (and when) that fintech risk surfaces.